Information
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:
%ProgramFiles%
%windir%
%windir%\System32
HKEY_LOCAL_MACHINE\SOFTWARE
The recommended state for this setting is: Enabled.
Rationale:
This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations
Default Value:
Enabled. (Application write failures are redirected at run time to defined user locations for both the file system and registry.)